####################################
Bcoos =< 1.0.13 highlight.php traversal file access
Vendor URL: http://www.bcoos.net
Advisore:http://lostmon.blogspot.com/2008/05/
bcoos-highlightphp-traversal-file.html
Vendor notify:yes Exploit available:yes
####################################
bcoos is content-community management system written in PHP-MySQL
Directory traversal vulnerability in bcoos 1.0.13 and earlier
allows remote attackers to read arbitrary files via a ../
(dot dot) in the CD command or if the attacker know the full path.
Only Can read Files with extension, if the file don´t have extension
bcoos redirect to index.
##############
Versions
##############
bcoos 1.0.13
bcoos 1.0.12
bcoos 1.0.11
bcoos 1.0.10
bcoos 1.0.9
##############
Solution
##############
No solutions was available at this time !!!
Vendor Bugtrack : http://www.bcoos.net/modules/
devtracker/view_issue.php?issue_id=2467
##############
TimeLine
##############
Discovered:02-03-2008
vendor notify:18-05-2008
vendor response:
vendor fix:
Disclosure:18-05-2008
################
Proof of Concept
################
http://localhost/bcoos/class/debug/
highlight.php?file=C:\boot.ini
http://localhost/bcoos/class/debug/
highlight.php?file=../../../../../boot.ini
For exploit this issue the attacker need webmaster privileges.
But if a system has multiple webmasters.. all can read files
outside webserver root directory.
The file what we want to access need a extension if the file no
have extensionvwe can´t read it, and bcoos redirects to index.
################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)